| Message ID | 20220216201743.2088344-1-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | lkdtm/usercopy: Expand size of "out of frame" object | expand |
Hi Kees,
I love your patch! Yet something to improve:
[auto build test ERROR on char-misc/char-misc-testing]
[also build test ERROR on soc/for-next kees/for-next/pstore v5.17-rc4 next-20220216]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Kees-Cook/lkdtm-usercopy-Expand-size-of-out-of-frame-object/20220217-041936
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git e6cb9c167eeb8f90ab924666c573e69e85e700a0
config: riscv-allmodconfig (https://download.01.org/0day-ci/archive/20220217/202202170604.hO1q7HZU-lkp@intel.com/config)
compiler: riscv64-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/aa676e88f535bd79a3e22a1cc70c9b6cc51dbbfe
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Kees-Cook/lkdtm-usercopy-Expand-size-of-out-of-frame-object/20220217-041936
git checkout aa676e88f535bd79a3e22a1cc70c9b6cc51dbbfe
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=riscv SHELL=/bin/bash drivers/misc/lkdtm/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from include/linux/kernel.h:29,
from drivers/misc/lkdtm/lkdtm.h:7,
from drivers/misc/lkdtm/usercopy.c:6:
drivers/misc/lkdtm/usercopy.c: In function 'do_usercopy_stack':
>> drivers/misc/lkdtm/usercopy.c:74:46: error: 'current_stack_pointer' undeclared (first use in this function); did you mean 'kernel_stack_pointer'?
74 | pr_info("stack : %px\n", (void *)current_stack_pointer);
| ^~~~~~~~~~~~~~~~~~~~~
include/linux/printk.h:418:33: note: in definition of macro 'printk_index_wrap'
418 | _p_func(_fmt, ##__VA_ARGS__); \
| ^~~~~~~~~~~
include/linux/printk.h:519:9: note: in expansion of macro 'printk'
519 | printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~
drivers/misc/lkdtm/usercopy.c:74:9: note: in expansion of macro 'pr_info'
74 | pr_info("stack : %px\n", (void *)current_stack_pointer);
| ^~~~~~~
drivers/misc/lkdtm/usercopy.c:74:46: note: each undeclared identifier is reported only once for each function it appears in
74 | pr_info("stack : %px\n", (void *)current_stack_pointer);
| ^~~~~~~~~~~~~~~~~~~~~
include/linux/printk.h:418:33: note: in definition of macro 'printk_index_wrap'
418 | _p_func(_fmt, ##__VA_ARGS__); \
| ^~~~~~~~~~~
include/linux/printk.h:519:9: note: in expansion of macro 'printk'
519 | printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~
drivers/misc/lkdtm/usercopy.c:74:9: note: in expansion of macro 'pr_info'
74 | pr_info("stack : %px\n", (void *)current_stack_pointer);
| ^~~~~~~
vim +74 drivers/misc/lkdtm/usercopy.c
> 6 #include "lkdtm.h"
7 #include <linux/slab.h>
8 #include <linux/vmalloc.h>
9 #include <linux/sched/task_stack.h>
10 #include <linux/mman.h>
11 #include <linux/uaccess.h>
12 #include <asm/cacheflush.h>
13
14 /*
15 * Many of the tests here end up using const sizes, but those would
16 * normally be ignored by hardened usercopy, so force the compiler
17 * into choosing the non-const path to make sure we trigger the
18 * hardened usercopy checks by added "unconst" to all the const copies,
19 * and making sure "cache_size" isn't optimized into a const.
20 */
21 static volatile size_t unconst;
22 static volatile size_t cache_size = 1024;
23 static struct kmem_cache *whitelist_cache;
24
25 static const unsigned char test_text[] = "This is a test.\n";
26
27 /*
28 * Instead of adding -Wno-return-local-addr, just pass the stack address
29 * through a function to obfuscate it from the compiler.
30 */
31 static noinline unsigned char *trick_compiler(unsigned char *stack)
32 {
33 return stack + unconst;
34 }
35
36 static noinline unsigned char *do_usercopy_stack_callee(int value)
37 {
38 unsigned char buf[128];
39 int i;
40
41 /* Exercise stack to avoid everything living in registers. */
42 for (i = 0; i < sizeof(buf); i++) {
43 buf[i] = value & 0xff;
44 }
45
46 /*
47 * Put the target buffer in the middle of stack allocation
48 * so that we don't step on future stack users regardless
49 * of stack growth direction.
50 */
51 return trick_compiler(&buf[(128/2)-32]);
52 }
53
54 static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
55 {
56 unsigned long user_addr;
57 unsigned char good_stack[32];
58 unsigned char *bad_stack;
59 int i;
60
61 /* Exercise stack to avoid everything living in registers. */
62 for (i = 0; i < sizeof(good_stack); i++)
63 good_stack[i] = test_text[i % sizeof(test_text)];
64
65 /* This is a pointer to outside our current stack frame. */
66 if (bad_frame) {
67 bad_stack = do_usercopy_stack_callee((uintptr_t)&bad_stack);
68 } else {
69 /* Put start address just inside stack. */
70 bad_stack = task_stack_page(current) + THREAD_SIZE;
71 bad_stack -= sizeof(unsigned long);
72 }
73
> 74 pr_info("stack : %px\n", (void *)current_stack_pointer);
75 pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack));
76 pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack));
77
78 user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
79 PROT_READ | PROT_WRITE | PROT_EXEC,
80 MAP_ANONYMOUS | MAP_PRIVATE, 0);
81 if (user_addr >= TASK_SIZE) {
82 pr_warn("Failed to allocate user memory\n");
83 return;
84 }
85
86 if (to_user) {
87 pr_info("attempting good copy_to_user of local stack\n");
88 if (copy_to_user((void __user *)user_addr, good_stack,
89 unconst + sizeof(good_stack))) {
90 pr_warn("copy_to_user failed unexpectedly?!\n");
91 goto free_user;
92 }
93
94 pr_info("attempting bad copy_to_user of distant stack\n");
95 if (copy_to_user((void __user *)user_addr, bad_stack,
96 unconst + sizeof(good_stack))) {
97 pr_warn("copy_to_user failed, but lacked Oops\n");
98 goto free_user;
99 }
100 } else {
101 /*
102 * There isn't a safe way to not be protected by usercopy
103 * if we're going to write to another thread's stack.
104 */
105 if (!bad_frame)
106 goto free_user;
107
108 pr_info("attempting good copy_from_user of local stack\n");
109 if (copy_from_user(good_stack, (void __user *)user_addr,
110 unconst + sizeof(good_stack))) {
111 pr_warn("copy_from_user failed unexpectedly?!\n");
112 goto free_user;
113 }
114
115 pr_info("attempting bad copy_from_user of distant stack\n");
116 if (copy_from_user(bad_stack, (void __user *)user_addr,
117 unconst + sizeof(good_stack))) {
118 pr_warn("copy_from_user failed, but lacked Oops\n");
119 goto free_user;
120 }
121 }
122
123 free_user:
124 vm_munmap(user_addr, PAGE_SIZE);
125 }
126
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Hi Kees,
I love your patch! Yet something to improve:
[auto build test ERROR on char-misc/char-misc-testing]
[also build test ERROR on soc/for-next kees/for-next/pstore v5.17-rc4 next-20220216]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Kees-Cook/lkdtm-usercopy-Expand-size-of-out-of-frame-object/20220217-041936
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git e6cb9c167eeb8f90ab924666c573e69e85e700a0
config: hexagon-randconfig-r045-20220216 (https://download.01.org/0day-ci/archive/20220217/202202170613.eIFMv4np-lkp@intel.com/config)
compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 0e628a783b935c70c80815db6c061ec84f884af5)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/aa676e88f535bd79a3e22a1cc70c9b6cc51dbbfe
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Kees-Cook/lkdtm-usercopy-Expand-size-of-out-of-frame-object/20220217-041936
git checkout aa676e88f535bd79a3e22a1cc70c9b6cc51dbbfe
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=hexagon SHELL=/bin/bash drivers/misc/lkdtm/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
>> drivers/misc/lkdtm/usercopy.c:74:39: error: use of undeclared identifier 'current_stack_pointer'
pr_info("stack : %px\n", (void *)current_stack_pointer);
^
1 error generated.
vim +/current_stack_pointer +74 drivers/misc/lkdtm/usercopy.c
53
54 static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
55 {
56 unsigned long user_addr;
57 unsigned char good_stack[32];
58 unsigned char *bad_stack;
59 int i;
60
61 /* Exercise stack to avoid everything living in registers. */
62 for (i = 0; i < sizeof(good_stack); i++)
63 good_stack[i] = test_text[i % sizeof(test_text)];
64
65 /* This is a pointer to outside our current stack frame. */
66 if (bad_frame) {
67 bad_stack = do_usercopy_stack_callee((uintptr_t)&bad_stack);
68 } else {
69 /* Put start address just inside stack. */
70 bad_stack = task_stack_page(current) + THREAD_SIZE;
71 bad_stack -= sizeof(unsigned long);
72 }
73
> 74 pr_info("stack : %px\n", (void *)current_stack_pointer);
75 pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack));
76 pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack));
77
78 user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
79 PROT_READ | PROT_WRITE | PROT_EXEC,
80 MAP_ANONYMOUS | MAP_PRIVATE, 0);
81 if (user_addr >= TASK_SIZE) {
82 pr_warn("Failed to allocate user memory\n");
83 return;
84 }
85
86 if (to_user) {
87 pr_info("attempting good copy_to_user of local stack\n");
88 if (copy_to_user((void __user *)user_addr, good_stack,
89 unconst + sizeof(good_stack))) {
90 pr_warn("copy_to_user failed unexpectedly?!\n");
91 goto free_user;
92 }
93
94 pr_info("attempting bad copy_to_user of distant stack\n");
95 if (copy_to_user((void __user *)user_addr, bad_stack,
96 unconst + sizeof(good_stack))) {
97 pr_warn("copy_to_user failed, but lacked Oops\n");
98 goto free_user;
99 }
100 } else {
101 /*
102 * There isn't a safe way to not be protected by usercopy
103 * if we're going to write to another thread's stack.
104 */
105 if (!bad_frame)
106 goto free_user;
107
108 pr_info("attempting good copy_from_user of local stack\n");
109 if (copy_from_user(good_stack, (void __user *)user_addr,
110 unconst + sizeof(good_stack))) {
111 pr_warn("copy_from_user failed unexpectedly?!\n");
112 goto free_user;
113 }
114
115 pr_info("attempting bad copy_from_user of distant stack\n");
116 if (copy_from_user(bad_stack, (void __user *)user_addr,
117 unconst + sizeof(good_stack))) {
118 pr_warn("copy_from_user failed, but lacked Oops\n");
119 goto free_user;
120 }
121 }
122
123 free_user:
124 vm_munmap(user_addr, PAGE_SIZE);
125 }
126
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
On 2/17/22 1:17 AM, Kees Cook wrote: > To be sufficient out of range for the usercopy test to see the lifetime > mismatch, expand the size of the "bad" buffer, which will let it be > beyond current_stack_pointer regardless of stack growth direction. > Paired with the recent addition of stack depth checking under > CONFIG_HARDENED_USERCOPY=y, this will correctly start tripping again. > > Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com> > Cc: Arnd Bergmann <arnd@arndb.de> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
diff --git a/drivers/misc/lkdtm/usercopy.c b/drivers/misc/lkdtm/usercopy.c index 9161ce7ed47a..781345ea3b07 100644 --- a/drivers/misc/lkdtm/usercopy.c +++ b/drivers/misc/lkdtm/usercopy.c @@ -30,12 +30,12 @@ static const unsigned char test_text[] = "This is a test.\n"; */ static noinline unsigned char *trick_compiler(unsigned char *stack) { - return stack + 0; + return stack + unconst; } static noinline unsigned char *do_usercopy_stack_callee(int value) { - unsigned char buf[32]; + unsigned char buf[128]; int i; /* Exercise stack to avoid everything living in registers. */ @@ -43,7 +43,12 @@ static noinline unsigned char *do_usercopy_stack_callee(int value) buf[i] = value & 0xff; } - return trick_compiler(buf); + /* + * Put the target buffer in the middle of stack allocation + * so that we don't step on future stack users regardless + * of stack growth direction. + */ + return trick_compiler(&buf[(128/2)-32]); } static noinline void do_usercopy_stack(bool to_user, bool bad_frame) @@ -66,6 +71,10 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame) bad_stack -= sizeof(unsigned long); } + pr_info("stack : %px\n", (void *)current_stack_pointer); + pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack)); + pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack)); + user_addr = vm_mmap(NULL, 0, PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, 0);
To be sufficient out of range for the usercopy test to see the lifetime mismatch, expand the size of the "bad" buffer, which will let it be beyond current_stack_pointer regardless of stack growth direction. Paired with the recent addition of stack depth checking under CONFIG_HARDENED_USERCOPY=y, this will correctly start tripping again. Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/misc/lkdtm/usercopy.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)